PCI DSS Compliance: Failure Is Not an Option

The average American credit cardholder carries 3.5 credit cards, according to the Federal Reserve Bank of Boston's 2010 Survey of Consumer Payment Choice. Today, consumers use credit cards to pay for more than just large-ticket items. Everything from household items and utilities to insurance premiums and student loans are tallying up charges on the average monthly statement, demonstrating the growing reliance of consumers on credit cards and the importance of protecting these numbers.

So, whether you are a large retailer or a small Internet boutique, if you accept credit cards, you need to keep that information secure. It's not just about compliance with the Payment Card Industry Data Security Standard (PCI DSS) -- more importantly, you owe it to your customers.

PCI DSS was developed as part of a collaboration between MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. Their efforts have culminated in the standard that serves as a directive and guideline to help organizations prevent the misuse of credit card data.

Who Needs To Comply

All merchants and service providers who store, process and transmit credit card information must undergo quarterly self-assessments as well as audits (vulnerability scans) by an Approved Scanning Vendor (ASV) in accordance with PCI DSS Scanning Procedures.

Large merchants (i.e., more than 6 million transactions per year for all outlets including e-commerce) and service providers (i.e., more than 1 million transactions per year) must also undergo annual on-site audits performed by a PCI DSS Qualified Security Assessor (QSA).

The audit is inclusive of all systems, applications and technical measures, as well as policies and procedures used in to store, process and transmit cardholder and credit card information.

What Is Considered Sensitive Data

Per the standard, the following information is considered sensitive:

Primary Account Number (PAN)

Cardholder name

Service code

Expiration date

Pin Verification Value (PVV)

Security code (3 or 4 digit)

In accordance with the standard, merchants or service providers are not allowed to store the PVV or the security code that uniquely identifies the piece of plastic in the cardholder's possession at the time of the transaction. However, the PAN, cardholder name, service code and expiration date may be stored.

More Than Secure Databases

Many organizations naturally focus protection efforts on cardholder information within databases, a challenge for which technical solutions abound. However, as breaches like Citigroup's and Pfizer's
have shown, enterprises also face challenges controlling access to and dissemination of spreadsheets and other documents that contain cardholder information.

Exporting sensitive cardholder data out of databases is all too common, often done so that the information may be analyzed as part of market research or be imported into other applications. In fact, 42 percent of enterprises
hold customer data in spreadsheets as a matter of course, according to Ventana Research, and these figures don't include the individual users who conduct such exports on their own for business analytics or other purposes.

In the case of PCI, it is important to protect not only databases, but also file shares and SharePoint sites that house these spreadsheets and documents. Organizations need to implement a comprehensive system not only to find PCI information that resides outside of databases, but also to manage authorization, access control and auditing of all unstructured and semi-structured data stores.

When file shares contain any PCI-designated sensitive information, organizations need to audit, review and tighten up access to these shared networked resources as part of their PCI compliance efforts.

Costs/Risks Of Noncompliance

Credit card fraud and misuse reaches into the billions of dollars annually. While the costs per incident may vary by merchant size, they include the following:

Loss of income from fraudulent transaction

Cost to reissue cards

Costs of investigation and possible litigation

Possible fines imposed by credit card companies

Loss of reputation, customer confidence and business

Possible loss of ability to accept credit cards for payment

PCI Compliance the Easy Way

There are six principles organizations need to address when seeking to comply with PCI DSS:

Continual identification of relevant data

A process to identify and revoke unwarranted access

A process to configure and review logical access controls

Proper separation of duties

Monitoring and analysis of all access activity for possible abuse

Evidence that all processes are being followed

Logical access control objectives are based on the principle of least privilege: Access should be granted only to those people who are required to perform a user's function. Many audit regulations now focus on proper access and use of unstructured data on file systems and SharePoint servers.

It stands to reason that wherever the organization has permissions to write or read data, a data owner (or steward) should be designated to decide who gets access, acceptable use, etc. Otherwise, decisions about that data are left up to IT staff, who have little organizational context about the data they are trying to manage and protect.

In order to identify an owner, IT needs to know who is making use of data -- analyzing data usage over time provides actionable business intelligence on the probable data owner of any folder. Using these statistics, administrators can quickly see the most active users of a data container. Often, one of the active users is the data owner. Active users who are not the business owner will likely work for the data owner, or at least know who the data owner is likely to be.

Data owners need to be automatically involved in the authorization workflows and entitlement reviews for their data. Automation enables users to request data access, route requests to the data owner and other appropriate parties, execute the appropriate actions, and track each request. Entitlement reviews, or attestations, should also be similarly automated and auditable.

While managing all this may seem an insurmountable task, software solutions are available to streamline the process of finding PCI data and aggregating user and group information, permissions information, access information and content information (which files actually contain PCI data) from directories and file servers.

Sophisticated analytics can then be applied to reveal detailed data use and misuse, and determine rightful access based on business need. Using this intelligence, organizations can then

provide alerts on behavioral deviations that may signal a possible data breach.

As credit card usage continues to grow, merchants must prioritize the security of their customers' sensitive information. A breach of this information doesn't just affect the person whose account has been emptied -- it can affect your reputation if the violation is traced to your door. So remember the importance of compliance for everyone in the chain. With the help of technology, it may be easier than you realize to avoid being the weak link.

David Gibson is director of technical services at
Varonis Systems and a Certified Information Systems Security Professional (CISSP).